Home page logo

webappsec logo WebApp Sec mailing list archives

Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Sun, 20 Oct 2002 21:19:39 -0400

The simple solution to this problem is to actually generate a new
password for the user and email them that instead and force them to
change it on the first login. That achieves a few security goals:

This does nothing to defend against the scenario I wrote about earlier in
this thread.  You can read it here:

To reiterate, unencrypted email offers no garauntee of privacy or

Kevin Spett
SPI Labs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]